Understanding Deterrence & Crime Prevention June 25, 2014

This following an excerpt from the 2012 research brief titled “Failed State of Security; A Rational Analysis of Deterrence Theory and Cybercrime.” I was recently provided a blog post by an ‘expert’ in which the author was again blaming the victim of a data breach while chiding companies for believing that they should not expect law enforcement to be there when you need them. The author misses a major purpose of the criminal justice system; Deterrence of criminal behavior. I late 2013 a US Senator stood in front of a Target store and blamed Target for their data breach. Interestingly, this senator did not state that the US should redouble efforts to deter cybercrime through more effective laws or more aggressive law enforcement actions. Until the laws and criminal justice system can begin to deter such behavior, cybercrime will continue to plague data industries. So what is deterrence?

An Overview of Deterrence Theory

Deterrence theory has applications in a variety of fields including military, and maritime security settings, foreign affairs, and in criminology, to name a few. While seemingly unrelated, when looked at closely, the similarities are apparent. Each these fields involve human decisions and humans that have the ability to behave and act in a manner contrary to the wishes of the other party. It is the ‘human element’ that is being modified by deterrent strategies.

History of Deterrence Theory

The concept of deterrence is relatively easy to understand and likely extends to the earliest human activities in which one early human dissuaded another from stealing food by employing the threat of violence against the interloper. Written examples of deterrence can be attributed as far back as the Peloponnesian War, when Thucydides wrote that there were many conflicts in which one army maneuvered in a manner that convinced the opponent that beginning or escalating a war would not be worth the risk.[1] In the 4th Century BC, Sun Tzu wrote: “When opponents are unwilling to fight with you, it is because they think it is contrary to their interests, or because you have misled them in to thinking so.”[2] While most people seem to instinctively understand the concept at the individual level, contemporary deterrence theory was brought to the forefront of political and military affairs during the Second World War with the deployment of nuclear weapons against Nagasaki and Hiroshima.[3]

The application of deterrence during WWII was the beginning of understanding that an internal value calculus drives human behavior and that behavior could be formally modeled and predicted with some degree of accuracy. By the mid-1940s and through the 1950’s John Van Neuman and, later Nobel Prize recipient John Nash (a Beautiful Mind), developed the mathematical models of Game Theory, which addresses human rationality and decision making. Game theory and the concepts that underlay game theory are inextricably entwined with deterrence. Game theory is defined as: “the study of mathematical models of conflict and cooperation between intelligent, rational decision makers.”[4] By 1962 game theory and its underlying principle of the Rational Actor Model (RAM) was put to real world use during the Cuban Missile Crisis. In this instance the Nash Equilibrium[5] was employed to predict that the Soviet Union would not escalate the crisis by attempting a run of the US Naval Blockade. The clearest evidence of the value of deterrence can be seen in Nikita Krushchev’s own words when he warned colleagues that they were: “face to face with the danger of war and of nuclear catastrophe, with the possible result of destroying the human race.” He went on to say: “In order to save the world, we must retreat.”[6]

The concept of deterrence is synergistic with the concepts of the rational actor model and game theory. Today, rational deterrence theory has application to, and is frequently employed in, national defense, tactical military operations, counterinsurgency, counterterror, law enforcement, security, and numerous other areas where the predictable understanding of human behavior plays a crucial role.

Key Concepts of Deterrence Theory

“deterrence is ultimately about decisively influencing decision making. Achieving such decisive influence requires altering or reinforcing decision makers’ perceptions of key factors they must weigh in deciding whether to act counter to (our interests) or to exercise restraint.”[7]

This single sentence encompasses the two underpinnings of deterrence; rational choice and risk management.

Rational Actor Model (RAM)

Deterrence and game theory rely upon the premise that people are rational actors. The Rational Actor Model is based on the rational choice theory which posits that humans are rational and will take actions that are in their own best interests. Each decision a person makes is based upon an internal value calculus that weighs the cost and the benefits of an action. By altering the cost-to-benefit ratios of the decisions, decisions, and therefore behavior can be changed accordingly. While the concept is simple in theory, it can be somewhat more complex in practice. It should be noted at this point that ‘rationality’ relies upon a personal calculus of costs and benefits. When speaking about the rational actor model or deterrence, it is critical to understand that ‘rational’ behavior is that which advances the individual’s interests and, as such, behavior may vary among people, groups and situations. For this reason, it is impossible to prevent all crime through deterrence. Some people will simply weigh the pros and cons of committing a crime and determine it is ‘worth the risk’ based upon their personal value calculus.

While some criminologists dispute RAM in favor of other models, anecdotally it is difficult to argue with the value of the model. In The Management of Savagery by Al Qaeda strategist Abu Baker Naji, he directs planners to weigh the “benefit and harm” of differing actions.[8] This clearly indicates a rational model where a cost benefit calculus is being applied to the operations of a terrorist organization. George Habash of the Popular Front for the Liberation of Palestine was quoted as saying: “The main point is to select targets where success is 100% assured.”[9] This, again, echoes the model of risk management and a rational model of decision making. While the previous quotes are attributed to terrorist organizations or those associated with terrorist originations, the concept repeats in all areas of behavior, including cybercrime.

In his seminal work More Guns Less Crime, economist John Lott discusses burglary rates in Canada, the United Kingdom, and the United States. In Canada and the UK, where gun control laws are strict, almost half of all burglaries are classified as “hot,” meaning someone was in the house when the burglars committed the crime. In the US, where gun ownership is more prevalent, “hot” burglaries only account for about 13% of all burglaries. As Lott explains: “criminals are not behaving differently by accident.” Surveys of convicted felons indicate that the felons are much more worried about armed victims in the homes then they are about the police. In interviews about why they did not break into a house when someone was home, the recurring them among criminals was: “that’s the way to get shot.”[10] While these examples demonstrate that people do weigh costs and benefits to criminal decisions, it is obvious that the challenge lies with understanding the internal, personal value system of the criminal, which varies from individual to individual. The RAM provides a very good theoretical model from which to work, but is not sufficient to address all known variables.

When considering crime, studies indicate that deterrence does play a role. As stated by Lott:

“Overall, my conclusion is that criminals as a group tend to behave rationally when crime becomes more difficult, less crime is committed. Higher arrest and conviction rates dramatically reduce crime.”[11]

This is consistent with research that shows that, in general, non-violent criminals and those seeking monetary rewards are more likely to qualify as rational actors. It is then logical that cybercriminals, generally drawn by monetary greed, may be classified as rational actors. For this reason, it is suggested that the use of deterrent strategies would have a predictable impact on cybercrime.[12]

3 Components of Deterrence

For any form of deterrence to be effective, it must be based upon the three principles of certainty, celerity, and severity. Certainty applies to the criminal’s belief in the likelihood of the threat (whether arrest, punishment or retribution) being carried out. Studies suggest that a certain, consistent level of certainty must be achieved to produce desired consequences. In short, if a law is all bark and no bite, the threat of a bite will have no impact on the cost benefit analysis. Logically, if a criminal perceived a certainty of retribution, the criminal would calculate the risk of the crime differently than if they felt it was unlikely the threat would be carried out. The result is a greater deterrent effect.

Celerity applies to the promptness of the threat being carried out. If there is the threat of immediate action as opposed to the threat of action at some point in the distant future, the deterrent will have greater effect. Even if the likelihood of the punishment is 100%, if there is no immediate threat of retribution, there will be a decreased level of deterrence. This can be seen in the statements of the criminals interviewed about “hot” burglaries where they indicated a fear of immediate retribution in the form of an running into angry, armed homeowner during the course of the burglary more than they feared eventual arrest and punishment.

Finally, the severity of punishment is critical to any deterrent. Most are probably familiar with the statement: “the punishment must fit the crime”. The increase in severity has a correlation to the effectiveness of the deterrent. In short, the greater the severity of the action, the less likely the prospective criminal is to perpetrate the act. An easy way to show the correlation is through the traditional model of risk analysis.[13]

Categories of Deterrence

Deterrence theory relies upon the rationality of actors to be effective. Criminal justice proposes two broad types of deterrence; general deterrence and specific deterrence. Both types of deterrence have application for cybercrime.

General Deterrence

General deterrence is proactive and attempts to target potential crimes before they are committed. Examples of general deterrence may include “no trespassing” signs warning that trespassing is a crime and stating the particular law and penalty. It is likely that most readers are familiar with the posted signs in post offices that warn of the “…minimum of 15 years in federal prison for robbing a post office.” For those who have travelled to Singapore, a form of general deterrence to drug trafficking is the very obvious sign that warns people entering the country that trafficking in drugs is punishable by death. Additionally, the passing of laws with increasingly stiff penalties for data theft would be an example of general deterrence. If general deterrence was entirely effective data theft would be trending downward instead of increasingly sharply year after year. Clearly, general deterrence has its limitations in cybercrime.

Specific Deterrence

Specific deterrence, on the other hand, is reactive and is focused upon punishing those that perpetrate crimes. Arrest and conviction provide specific deterrence to crimes. The concept of “The punishment should fit the crime” is an example of specific deterrence in action. Another example of specific deterrence is the use of armed guards on ships traversing pirate infested waters of the Gulf of Aden. Not only do the armed guards provide protective value the pirates must consider the immediate consequences of being wounded or killed if they attempt a hijacking. Evidence of the value of the deterrent effect of armed guards can be seen in the fact that not a single armed vessel has been hijacked. Clark proposed that: “offender’s calculus is mostly based on that which is most evident and immediate, while neglecting the more remote costs and benefits of crime or its avoidance[14].”

The US National Academy of Sciences established a panel in 1978 to study the various academic studies of deterrence. It found that:

“Taken as a whole, the evidence consistently finds a negative association between crime rates and the risk of apprehension, conviction, or imprisonment…the evidence certainly favors a proposition supporting deterrence more than it favors one asserting that deterrence is absent.”[15]

To be effective as a specific deterrent, the criminal must believe that he or she will be caught, be prosecuted, and be sentenced to a term that increases the risk to a point that criminal behavior changes. Certainty, celerity, and severity are critical when discussing specific deterrence.

In summary, there are currently few ways to deter a cyber criminal from stealing data from a company. Until deterrence can be applied to criminal behavior cybercriminals will continue to plague the industry.

[10] John R. Lott Jr. More Guns, Less Crime: Understanding Crime and Gun Control Laws, Third Edition (Studies in Law and Economics) University of Chicago Press. Kindle Edition. (Kindle Locations 135-138).

[…] a manner that convinced the opponent that beginning or escalating a war would not be worth the risk.[1] In the 4th Century BC, Sun Tzu wrote: “When opponents are unwilling to fight with you, it is […]